Microsoft's Trustworthy Computing Hits 10-Year Anniversary

The foundation for the initiative came from a 2002 Bill Gates memo, in which he laid out his plans to make sure Microsoft software is always readily available and always improved upon when flaws arise.

"As software has become ever more complex, interdependent and interconnected, our reputation as a company has in turn become more vulnerable," wrote Gates in a company-wide e-mail. "Flaws in a single Microsoft product, service or policy not only affect the quality of our platform and services overall, but also our customers' view of us as a company.

"So now, when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve."

According to Microsoft, one of the highlights to come out of the TwC was Microsoft's Security Development Lifecycle (SDL), in which any Microsoft software or products available to customers must go through the appropriate amount of testing, debugging and support. Another important component to this includes the support of third-party vendors and the public to advise if any issues do arise, and to debug any flaws in the software.

"Building on our internal changes, we realized collaboration with the industry was core to helping businesses, governments and citizens realize safer computing experiences within a dynamic, changing and increasingly complex threat landscape, said Scott Charney, corporate vice president of the Microsoft Trustworthy Computing, in the retrospective. "No one company, individual or technology can drive this change alone."

And Microsoft hasn't been alone. Many companies, including Adobe and Cisco, have instituted similar security development lifecycles based off of Microsoft's original model. Brad Arkin, senior director of security at Adobe said that his company's own lifecycle works so well due to the fact that it had both bad and good examples from Microsoft on what to do during the early stages of SDL. "In formalizing our own secure product lifecycle, we were eager to tap into that knowledge instead of reinventing the wheel," said Arkin. "This allowed us to spend more time on the actual implementation across all of our product teams."

Another component to Microsoft's TwC is the commitment to user and data privacy. As cloud adoption continues to grow, and users juggle multiple always-connected devices, Microsoft sees protecting the privacy of each user (whether from security issues or individual rights) to be the next challenge. "While computers were originally embraced by governments and businesses to promote commerce, now, with the consumerization of IT and social networking, all these devices and services constitute the social fabric of our lives," said Charney.

[Click on image for larger view.]

Microsoft's Trustworthy Computing Timeline.

In the retrospective, Microsoft also knows that for TwC to continue successfully, it will have to adapt with both emerging technology and the unique security issues that arise from it. According to the feature, "security, privacy and reliability strategies must evolve to remain potent. There is still much work that our industry must do to make computing more trustworthy. Everyone at Microsoft and the entire computing ecosystem has a role to play. "